Security update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc

Announcement ID:	SUSE-SU-2019:0495-1
Rating:	important
References:	bsc#1048046 bsc#1051429 bsc#1114832 bsc#1118897 bsc#1118898 bsc#1118899 bsc#1121967 bsc#1124308
Cross-References:	CVE-2018-16873 CVE-2018-16874 CVE-2018-16875 CVE-2019-5736
CVSS scores:	CVE-2018-16873 ( SUSE ): 7.5 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H CVE-2018-16873 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16873 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16874 ( SUSE ): 6.8 CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N CVE-2018-16874 ( NVD ): 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16874 ( NVD ): 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H CVE-2018-16875 ( SUSE ): 5.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2018-16875 ( NVD ): 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H CVE-2019-5736 ( SUSE ): 7.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H CVE-2019-5736 ( NVD ): 8.6 CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H CVE-2019-5736 ( NVD ): 8.6 CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Affected Products:	Containers Module 15 SUSE Linux Enterprise High Performance Computing 15 SUSE Linux Enterprise Server 15 SUSE Linux Enterprise Server for SAP Applications 15

An update that solves four vulnerabilities and has four security fixes can now be installed.

Description:

This update for containerd, docker, docker-runc, golang-github-docker-libnetwork, runc fixes the following issues:

Security issues fixed:

• CVE-2018-16875: Fixed a CPU Denial of Service (bsc#1118899).
• CVE-2018-16874: Fixed a vulnerabity in go get command which could allow directory traversal in GOPATH mode (bsc#1118898).
• CVE-2018-16873: Fixed a vulnerability in go get command which could allow remote code execution when executed with -u in GOPATH mode (bsc#1118897).
• CVE-2019-5736: Effectively copying /proc/self/exe during re-exec to avoid write attacks to the host runc binary, which could lead to a container breakout (bsc#1121967).

Other changes and fixes:

• Update shell completion to use Group: System/Shells.
• Add daemon.json file with rotation logs configuration (bsc#1114832)
• Update to Docker 18.09.1-ce (bsc#1124308) and to to runc 96ec2177ae84. See upstream changelog in the packaged /usr/share/doc/packages/docker/CHANGELOG.md.
• Update go requirements to >= go1.10
• Use -buildmode=pie for tests and binary build (bsc#1048046 and bsc#1051429).
• Remove the usage of 'cp -r' to reduce noise in the build logs.

Patch Instructions:

To install this SUSE update use the SUSE recommended installation methods like YaST online_update or "zypper patch".
Alternatively you can run the command listed for your product:

• Containers Module 15
  zypper in -t patch SUSE-SLE-Module-Containers-15-2019-495=1

Package List:

• Containers Module 15 (ppc64le s390x x86_64)
  • docker-debugsource-18.09.1_ce-6.14.1
  • docker-libnetwork-debuginfo-0.7.0.1+gitr2711_2cfbf9b1f981-4.9.1
  • docker-libnetwork-0.7.0.1+gitr2711_2cfbf9b1f981-4.9.1
  • containerd-1.2.2-5.9.1
  • docker-18.09.1_ce-6.14.1
  • docker-runc-1.0.0rc6+gitr3748_96ec2177ae84-6.12.1
  • docker-runc-debuginfo-1.0.0rc6+gitr3748_96ec2177ae84-6.12.1
  • docker-debuginfo-18.09.1_ce-6.14.1
• Containers Module 15 (noarch)
  • docker-bash-completion-18.09.1_ce-6.14.1

References:

• https://www.suse.com/security/cve/CVE-2018-16873.html
• https://www.suse.com/security/cve/CVE-2018-16874.html
• https://www.suse.com/security/cve/CVE-2018-16875.html
• https://www.suse.com/security/cve/CVE-2019-5736.html
• https://bugzilla.suse.com/show_bug.cgi?id=1048046
• https://bugzilla.suse.com/show_bug.cgi?id=1051429
• https://bugzilla.suse.com/show_bug.cgi?id=1114832
• https://bugzilla.suse.com/show_bug.cgi?id=1118897
• https://bugzilla.suse.com/show_bug.cgi?id=1118898
• https://bugzilla.suse.com/show_bug.cgi?id=1118899
• https://bugzilla.suse.com/show_bug.cgi?id=1121967
• https://bugzilla.suse.com/show_bug.cgi?id=1124308